Each year, Verizon and other organizations release reports on the prior year’s data breach findings. A common theme each year is that majority of the breaches involved compromised credentials which still are a weak control area that attackers continue to use to gain access, move laterally, and to exfiltrate data from organizations.

End user security awareness training is a great method for helping reduce the risk of credential compromise. However there are other compensating and complementary controls, technologies and resources for users to protect their passwords.

Password Creation

First, organizations and end users need to be educated about proper password creation. For many years we in the information security community have touted creating complex passwords as a safeguard to increase entropy and have stressed frequent rotation of passwords.  All this has done is made people bad at remembering passwords, forcing them to create and/or store passwords in vulnerable manners which hackers can either find, crack or recover. This has been wonderfully demonstrated in the xkcd web comic “Password Strength”:

Credit: xkcd: Password Strength – https://xkcd.com/936/

Furthermore, the National Institute of Standards and Technology (NIST) in its recent draft Special Publication  800-83-3 has changed their recommendations to meet length, not complexity, as well as other password hygiene approaches such as less frequent rotation and black listed passwords.

To meet these requirements, we train our clients to use language such as passphrase instead of password, and to use random nonconnected words (just don’t use “correcthorsebatterystaple”!) to achieve desired password strength. Note, I do want to point out that with some of our password cracking tools, we can use multiple dictionary and word lists to attack random word passphrases. Therefore, I still encourage you to add complexity by character substitution and special characters in passphrases.

Check If Your Password Compromised

A great resource to check if a password has been “dumped” on the open Internet or dark web, is to see if passwords you want to create or regularly utilize have already been compromised in a breach. Security researcher Troy Hunt put together a terrific resource, have i been pwned? (https://haveibeenpwned.com/). This free service allows you to see if your email or user name, domain, or password have been compromised as part of a data breach where the credentials were publicly leaked.

Password Managers

In security, not only do we recommend that end users meet the password requirements outlined above, but for users to create different passwords for each login (work, Facebook, Gmail, LinkedIn, etc.). This way when an account is compromised on one system, the credentials cannot be used on other platforms. Thus, everyone who manages anywhere from 25-50 different credentialed accounts, has only six or so passwords they use. Unless users are enabled, they will not accept this challenge. This is where password managers come in.

A password manager assists in generating and retrieving complex passwords. The password can be stored in an encrypted database or calculated on demand. The beauty is through a browser plugin, these managers will generate, store and manage passwords for you. All you need to do is set-up a single master password for your vault.

This of course begs the question, “What if the password managers get compromised?” While a risk, it is very low. This is their business and they use multiple layers of encryption. Also, for added security, I enable two-factor authentication (discussed below) on my password manager. This was if my very long LastPass master password gets “pwned”, it still requires a second factor, or two-factor, authentication for protection (that also has to go through a finger print authentication).

The following are some of the more popular password managers. They come with different features, all support mobile apps, and have free editions. I personally use LastPass and have been very happy with it.

Two-Factor Authentication

Two-factor authentication (“2FA”) offers a great solution to protecting accounts that are secured by only a single combination of a username and password. Additionally, 2FA is a great compensating control and can serve as a safety net for bad passwords if you are having difficulty adopting better policies in your organization.

2FA requires that after the initial user name and password is used for authentication, an additional biometric identifier (something you are), or a pin or token (something you have) is used to further verify the login session.

In the past, 2FA solutions were costly and cumbersome to implement. Now with cloud and mobile platforms there are several solutions for 2FA in the enterprise and for personal use. The following are some solutions, but not all that are available. Do research to find what will work technically and culturally within your organization. You may also find the need to use multiple 2FA solutions.

Duo Security: https://duo.com/

I personally use Duo more than the other platforms. It can be used simultaneously for personal and enterprise accounts (e.g. a single app for your personal use and work accounts). Duo does have some free solutions, and their paid versions are very reasonable for enterprises at only $3 per user per month. Additionally, they have started to add more mobile device management capabilities for a few more dollars per month.

Duo supports push to device app, text message, phone calls, and soft token for second form of authentication. You can also add multiple devices. This way in case your phone dies, you can push to an iPad or secondary phone number if needed.

I have found Duo to be very easy to implement and to administer.  Duo supports a TON of applications and integrations for Microsoft OWA, VPN (Palo, Cisco, WatchGuard, etc.), web apps, and more: https://duo.com/product/every-application/supported-applications

Google Authenticator: https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en 

Google has a free authenticator app that supports their products (Gmail, etc.). With 2-Step Verification enabled, you enter your password then the soft token code the application generates. It is worth looking at for your Google personal and G Suite business accounts.

One challenge I have had is with third-party applications (Google refers to them as “less secure” applications) such as Outlook with Google Authenticator. For these applications, you will need to generate App Passwords and if you are prompted by an application for a new password after turning on 2-Step Verification, you must sign in using an App Password. This adds to the administration overhead to allow users to use app passwords as well as increase some of the time for user education.

Microsoft Authenticator: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to

Microsoft has added free 2FA authentication in their product stack particularly around Azure and Office 365. With these accounts, you have the option to enable Microsoft Authenticator.

Microsoft Authenticator supports push notifications to devices, soft tokens, and SMS/phone calls. For any of my Azure domains and Office 365 (‘O365”) accounts, I have it set-up for Outlook Web Access (“OWA”), OneDrive, and Admin account logins. However, with certain Microsoft Authenticator integrations that won’t natively support 2FA authentication, you will need to set-up application passwords. (https://www.windowscentral.com/how-generate-app-passwords-your-microsoft-account).

While free and rather feature rich if you are on the MSFT cloud stack, I personally found it the hardest to administer. Their documentation can be a bit difficult to find and some of the options are buried in areas of the admin panel that are not very intuitive. However, with so many people moving to O365, it’s a no brainer for end user OWA access on a budget and if you don’t need all the other integrations that something such as Duo supports.

Passwords are still a necessity in modern computing environments. While there is a lot being done from the Operating System to applications to change the way users authenticate, we will still be using the username and password authentication method for some time. If you can enable users in the areas described above, you can reduce the risk from compromised credentials becoming the weakest part of your organizational security program. If nothing else, these resources create an information security mindset and culture that can assist with a program’s overall success!

 

Kivu will be providing the technical forensics support for Endurance’s recently launched Cyber Extortion Response Services.  Working with the law firm Mullen Coughlin, Kivu will guide ransomware victims as they respond to malicious attacks, including arranging for payment in Bitcoin or other cryptocurrency, analyzing and testing decryption keys to ensure they are effectively and safely applied without further compromising the company’s network, and preparing documentation for reporting events to appropriate law enforcement agencies.

 

Kivu’s Cyber Extortion services are leading the cyber response and cyber insurance industry.  Kivu has built a reputation combating cyber extortion and responding to cyber-crime, allowing our clients to make informed, cost-effective decisions.  Our experts include analysts fluent in Russian, Chinese, Spanish, and German, trained in negotiation techniques, and highly experienced in hacking techniques and protocols.

 

A Q&A with Winston Krone of Kivu Consulting – Posted by Mark Greisiger on Junto Blog

Oct 2016

There’s no doubt that ransomware attacks are on the rise and they’re becoming more insidious. I spoke with Winston Krone, global managing director of Kivu Consulting about what the latest version of ransomware looks like and what risk managers should do if it strikes their organization.

What is ransomware?

Ransomware is a type of malware that can infect any device where the malware is opened—typically through a link in an email, but we’re seeing variants where it’s seeded on a computer and activated remotely. Either way, it’s designed to infect other devices or hosts such as servers that the original device is connected to. Its real danger to organizations is its ability to spread across systems for two reasons:

  • It can compromise vast amounts of data—once it jumps from a desktop to a server, you’re talking terabytes of data compromised rather than gigs.
  • It can jump into backups and destroy the ability to restore the system. This issue has been made worse by the recent trend of synchronized backups—though regulated organizations still require long-term backup capability. If the only backup goes back a day or two and it gets lost, you don’t have earlier versions to rebuild the system.

How does it impact companies?

In the best case scenario, you come back online in several days—the worst case scenario is that you never come back online. Ransomware attacks affect just about every type of organization. While many have already designed systems with multiple backups so they can get back online immediately following an attack, some organizations, particularly law firms, accounting firms and manufacturing companies, haven’t developed systems for safely keeping backups.

Either way, organizations need to decide whether to pay the ransom or to try to rebuild the data themselves from other areas such as employee laptops or old computers that were offline (and thus, not hit by the malware). The do-it-yourself approach turns into a significant amount of work—many hundreds of hours of labor and business downtime—and it’s rarely less than the $5000 to $20,000 ransom. Some organizations have an aversion to paying criminals and that’s a legitimate concern, but there’s a danger in trying to rebuild the data yourself. We have seen situations where organizations try to do this and then realize later that they can’t and want to pay the ransom—in the meantime, they have overridden the encrypted data and when they pay the ransom and get the decryption key it doesn’t do them any good.

Many organizations don’t include ransomware in their incident response plans or they underestimate its significance. The ones that do include it need to update the plan on a quarterly basis, at the very least. Over the last year we have seen major paradigm shifts with new types of ransomware occurring every two weeks, in terms of the attack vector, seriousness of the attacks and how they’re launched.

Can you explain how the negotiations between the perpetrator and the attacked organization work?

In the most basic ransomware, you’re simply steered to a URL and there’s really no way to communicate with the attacker. In this situation, it’s usually a relatively small amount for the ransom, probably less than $5000. In a second variant, they supply a URL but there’s some degree of communication such as a comment field and some type of handshake where they let you test a small amount of data to prove that they actually have a decryption key and it works. In the third type, there’s direct communication by email, and these are the most expensive ransoms. In these cases, they’re open to negotiation—not about the price but about the time needed to pay the ransom or to figure out how the decryption works.

In larger attacks we see a new variant whereby the basic ransom goes up by the amount of computers infected. In those cases, you can pay by individual computer affected or with a blanket global license upwards of $20,000 and they’ll give you all the keys needed. In those types of attacks, the attacker is incentivized to negotiate with you more. In general, the negotiations are not for the fainthearted—we have negotiated dozens of these cases with foreign language speakers set up with multiple identities around the world and on the dark web. Our role is to make sure the negotiations go smoothly while masking the identity of our clients to the extent that we can.

Anonymity is important. We highly recommend cloaking the identity of the attacked organization because of their ability to increase the ransom. In most cases the criminals don’t know who they’re attacking and they don’t care. However, this is something that we expect to change in the next six months or so—we think attackers will go after regulated businesses or other businesses where data is important, or choose organizations that they know carry insurance so they are more likely to get paid.

How can a company set up a bitcoin wallet in order to actually pay the ransom?

Organizations can set up their own bitcoin wallet but it is very difficult and among the lawyers and risk managers I’ve met who offer advice on this topic, almost none of them have ever actually done it themselves. It’s relatively straightforward to get a small amount of bitcoins but it’s very difficult to get a significant amount of money. Most bitcoin exchanges cap the amount of money you can get within a given time period. You can start an account and usually it takes a week to get it going and build up enough transactions to call down tens of thousands of dollars’ worth, and it’s expensive—with charges of over 15 percent per transaction. Off the exchanges,  you’re dealing with sketchy people and you’re opening yourself up to getting ripped off. Unless you already have an account and a reserve of $10,000-$20,000 you’re not readily prepared to deliver a ransom.

What are some common pitfalls in this situation?

Assuming you have money lined up and you’re ready to pay the ransom, there are still a number of things that can go wrong. You have to make sure you’re paying the right people. We’re seeing increasing examples of serious criminals getting involved in the ransom business. It’s the equivalent of thieves ripping off drug dealers. We’re also seeing organizations who have been hit by multiple attacks at the same time which can interfere with the remediation process. In some cases, the decryption key doesn’t work or the IT people don’t know how to use it properly. We have also seen instances where the decryption key itself is an attempt to get additional malware on the system.

How might a forensic expert play a role here?

We can help in every step of the process, including assisting the client with the response before paying the ransom, assisting with paying the ransom (we offer the service of paying on behalf of the client with our own bitcoins), making sure all communications are anonymous and verifying that the decryption tools themselves work and don’t contain more malware. We can also determine if the ransomware is actually a cloak or cover for an actual theft of data. In those cases, the $20,000 cost of ransom is dwarfed significantly by the cost of a data breach. We’ll make sure that the encrypted data isn’t destroyed during remediation. In the newest cases of ransomware that gets set off remotely by a hacker, forensic analysis can be required by state and federal data breach regulations to determine whether confidential data has been compromised since the hackers clearly obtained some access to the network to plant the ransomware.

What else should risk managers be aware of with regard to the threat of ransomware?

We’re seeing a lot of antivirus companies that claim to be developing tools that can spot ransomware and stop it, or vaccinate computers against it, but we caution people to be very skeptical about these claims. These tools might be able to stop poorly designed ransomware but the fact is, it’s getting more sophisticated all the time—the hackers are figuring out how to outsmart us by masking the malware and the attack vector. What organizations really need to do is go back to the basics—designing a sound infrastructure for computer systems so that if there’s infection it won’t spread, and prepare for an encounter with ransomware with a detailed incident response plan.

In summary…

We want to thank Winston for his granular insights into this threat, which seems to be impacting cyber liability insurance clients on a weekly basis these days. We also think it’s important for a risk manager to see that there are many challenging and nuanced steps involved in resolving this type of cyber risk. An organization should not undertake resolution without the guidance of a Breach Coach® lawyer and forensic/security expert who has experience with extortion. Mr. Krone is a frequent speaker at NetDiligence® Cyber Liability Conferences. 

 

Testing the Password Encryption Strength of NT LAN Manager and LAN Manager Hash

Security risks associated with weak user-created passwords are well documented. In 2009, for example, cyber security provider Imperva analyzed more than 32 million passwords that were released in a 2009 data breach. More than 50% of the passwords involved poor user password choices, and 30% of the passwords contained 6 or fewer characters. User habits in poor password construction improve the chances of successful password determination by hackers who use password-guessing software.

Kivu recently participated in an experiment to evaluate the password encryption strength of two Windows Operating System authentication protocols.

LAN Manager (LM) hash, employs a multi-step algorithm to transform a user password into a calculated string value that obfuscates a password’s identity. The resulting LM hash is stored rather than the original password. First, a user’s password is converted to all uppercase letters. Next, the uppercase password is set to a 14-byte length. For passwords greater than 14 bytes, the password is truncated after the 14th byte. Passwords less than 14 bytes are null-padded to reach 14 bytes. The 14-byte password is split into two 7-byte segments, and a null is added at the beginning of each 7-byte half. Each half is used as a key to DES-encrypt the ASCII string “KGS!@#$%”. Both output values are concatenated to create a 16-byte value LM hash.

Microsoft’s second encryption method, NT LAN Manager (NTLM), is an improved algorithm for securing a password’s identity. Beginning with Microsoft Windows NT 3.1, NTLM was introduced to improve security. NTLM passwords differ from LM passwords in that NTLM employs the Unicode character set with the ability to differentiate upper and lowercase letters and permits passwords up to 128 characters in length.

Kivu’s experimental design to compare the relative strength of these two encryption methods employed Cain and Abel password-guessing software and different Windows passwords of increasing complexity.

How Cain and Abel Works

Cain and Abel provides the ability to execute password-guessing schemes using dictionary attacks and brute-force attacks. Both dictionary attacks and brute-force attacks employ guess-based methodologies to identify the plain text password associated with a specific hash-encrypted password.

Dictionary attacks use a pre-defined list of search terms or phrases as the basis for guessing. Each search term is transformed into a hash string value using a specific hash algorithm, such as the LM hash protocol. The resulting hash value is compared to a hash value of interest, and if the hash values match, the plain text password is identified.

Brute force attacks attempt every combination of defined search criteria to identify the plain text password associated with a hashed password. Search criteria settings include the use of character sets, such as ASCII and the number of characters in a password.

Conclusions

Kivu’s experimental results yielded significant insights concerning the strengths of the NTLM password algorithm, which is Microsoft’s replacement to LM.

None of the NTLM-transformed passwords we used were quickly resolved through brute force attack. Our experiment suggested that the passwords established for the test user accounts would take more than 4 years to determine. While our brute-force attacks were limited to less than 3 minutes, NTLM hash protocols were identified as having substantial lead times to identify plain text equivalents of NTLM-hashed equivalents.

LM’s password hashing approach to obfuscating plain text passwords, however, was limited in its success. As observed with three test user passwords, brute force password guessing resulted in a partial identification of LM passwords, due to LM’s sub-division of the password string during the hashing algorithmic process.

Our results indicated that both NTLM and LM passwords are susceptible to compromise in a well-designed and broad dictionary attack. Overall, NTLM hashed password equivalents may be stronger than LM in simple dictionary attacks. In substantial dictionary attacks, however, it may be more likely to identify an NTLM password due to the ability to match a calculated hash value from a dictionary. While dictionary-based attacks may be limited in their combinations of matches, larger dictionaries provide more opportunities for a match.

 

Kivu (www.kivuconsulting.com) is a nationwide technology firm specializing in the forensic response to data breaches and proactive IT security compliance.   Headquartered in San Francisco with offices in Los Angeles, New York, Washington DC, and Vancouver, Kivu handles assignments throughout the US and Canada, and is a pre approved cyber forensics vendor for leading North American insurance carriers.  Author, Megan Bell, directs data analysis projects and cyber security investigations at Kivu.